Secure Your Development Process - Or Face the Growing Risks to Software
October 18, 2022

Tomislav Pericin

During the past year-and-a-half, the US federal government developed a canon of guidance that addresses software supply chain security. It began with the Biden Administration's Executive Order 14028 on Improving the Nation's Cybersecurity, followed by the National Institute of Standards and Technology (NIST) publishing the first version of their Secure Software Development Framework. And most recently, the White House's memorandum (PDF) on behalf of the Office of Management and Budget (OMB) that mandates the federal use of secure third-party software.

Needless to say, the federal government has been quite busy building its case that both the private and public sectors need to address software supply chain risk head-on. However, all of the mentioned motions above, while essential to software security, do not directly address the private sector. For the many software organizations out there that do not work directly with the federal government, what can serve as their source of truth for software supply chain security?

Well, a recent report titled Securing the Software Supply Chain may be what software organizations are looking for.

The Report: Software Security's "Compendium"

This report, tagged as a "recommended practices guide for developers," was written by the federal government's Enduring Security Framework (ESF) Software Supply Chain Working Panel. The ESF has representation from government agencies, specifically the Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), and the Office for the Director of National Intelligence (ODNI). It also has experts from the IT, Communications and Defense Industrial Base sectors, making the working group representative of public-private partnership.

The guidance is meant to serve as a "compendium of suggested practices for developers, suppliers, and customer stakeholders to help ensure a more secure software supply chain." It's split into 3 parts, with each part addressing either developers, suppliers, and customer stakeholders, who all have a stake in securing software supply chains.

The report consists of several key points that should help software organizations get on the right track when it comes to software security.

First, it paints an accurate picture of the problem at large, which is that there are a number of active risks to the software supply chain. It goes beyond the infamous SolarWinds incident of December 2020 to include other possible risks like software tampering, attackers abusing open source repositories, and malicious binaries.

Second, the report serves as a true "compendium." ReversingLabs Cyber Content Lead Paul Roberts noted that this report can be characterized as a Rosetta Stone for software supply chain security. The ESF pulls together both private and public sector documents that advise on software security, making it easier for software organizations to familiarize themselves with standard practices for ensuring proper software security health.

Third, the ESF's guidance makes helpful recommendations for securing software supply chains. For example, the report emphasizes the use of software composition analysis (SCA) tools, given that the risk of malicious binaries is often overlooked. It also focuses on software bills of materials (SBOMs) as being a necessary tool to understand what kinds of components a software product includes, such as open source and third-party components. Additionally, it recommends that software organizations conduct automated static and dynamic testing of newly checked-in code, allowing them to look for vulnerabilities.

While it's clear that the ESF report is a momentous step forward for secure software, there is still a hurdle to overcome: software organizations that do not do business with the federal government, as well as federal development teams and contractors, are not mandated to follow these guidelines. Instead, these organizations must incentivize themselves to do the heavy-lifting.

Thinking Beyond SolarWinds

While SolarWinds serves as the catalyst for the software security movement, it is not the only incident that demonstrates the magnitude of this problem. It has been almost 2 years since SolarWinds, and within this span of time, more attacks and new risks to the software supply chain have been discovered. Additionally, we have learned a great deal about where the industry stands when it comes to securing software.

For example, a ReversingLabs commissioned study, conducted by Dimensional Research, found that a majority of software organizations in 2022 are not equipped to handle software supply chain risks. Out of 300 respondents, roughly half of them reported that their organizations cannot protect their software against third-party risks when using open source, commercial solutions, and partner software. Also, only 37% of respondents confirmed that they have a way of detecting software tampering across their supply chain, and very few (7%) check for tampering in every development stage.

As the software industry struggles to follow secure software practices, the risks and attack possibilities to the software supply chain continue to grow. Attacks on popular open source repositories like npm and PyPI have skyrocketed by 289% over the past 4 years.

That growth is evident in recently discovered software supply chain attacks that abuse these public repositories, such as the IconBurst supply chain attack, as well as additional attacks on both npm and PyPI.

Despite the vast attack possibilities on open source repositories, this problem is just one risk to the software supply chain. The ESF report calls out a number of areas in addition to open source risk that software organizations need to pay attention to when securing their development processes.

For example, the ESF guidance notes that modern Integrated Development Environments (IDEs) are extensible with third party plug-ins, creating the possibility that malicious IDE plug-ins may compromise the local development environment. Such tools and third party plug-ins should be scanned for vulnerabilities and evidence of tampering before being added to developer machines, the ESF report argues.

Software Suppliers: Get Ahead While You Still Can

There are fair criticisms of the ESF report, such as it not being practical enough for developers to follow. However, given the wealth of content, resources, and action steps this report provides, it is clear that the document serves as a good starting point for organizations looking to secure their software development practices.

It is also likely that these same organizations do not want to become the next SolarWinds. This is why they need to implement robust software security policies that will aid their organization's ability to prevent these kinds of incidents. This is why, despite its flaws, the ESF report is a big step in the right direction.

Tomislav Pericin is Chief Software Architect at ReversingLabs
Share this

Industry News

April 18, 2024

SmartBear announced a new version of its API design and documentation tool, SwaggerHub, integrating Stoplight’s API open source tools.

April 18, 2024

Red Hat announced updates to Red Hat Trusted Software Supply Chain.

April 18, 2024

Tricentis announced the latest update to the company’s AI offerings with the launch of Tricentis Copilot, a suite of solutions leveraging generative AI to enhance productivity throughout the entire testing lifecycle.

April 17, 2024

CIQ launched fully supported, upstream stable kernels for Rocky Linux via the CIQ Enterprise Linux Platform, providing enhanced performance, hardware compatibility and security.

April 17, 2024

Redgate launched an enterprise version of its database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.

April 17, 2024

Snyk announced the expansion of its current partnership with Google Cloud to advance secure code generated by Google Cloud’s generative-AI-powered collaborator service, Gemini Code Assist.

April 16, 2024

Kong announced the commercial availability of Kong Konnect Dedicated Cloud Gateways on Amazon Web Services (AWS).

April 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

April 16, 2024

Sylabs announces the launch of a new certification focusing on the Singularity container platform.

April 15, 2024

OpenText™ announced Cloud Editions (CE) 24.2, including OpenText DevOps Cloud and OpenText™ DevOps Aviator.

April 15, 2024

Postman announced its acquisition of Orbit, the community growth platform for developer companies.

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.